I'm heading out this week to make the yearly security pilgrimage to RSA where lots of SPI Dynamics folks will be presenting WebInspect 7, speaking and having fun. For many of you this will be your first chance to see the new WebInspect 7 powered by our new Phoenix architecture up close. Stop by booth Booth #505 where we will be giving out cool Phoenix T-Shirts and providing demos. I'll certainly be in the booth as well helping out, answering your questions and listening for cool ideas for future releases.

On Wed. night we also have big plans with our WebInspect 7 Launch party (learn more and RSVP here) at the W hotel in San Francisco. I hope to see many of you all there.

So what's new in WebInspect 7 and what is Phoenix?

WebInspect 7 is a total re-architecture of the product and represents about 3 years of work. It was a huge undertaking, but something we realized several years back had to be done. Why? If you look at the web application scanning market today you see a lot of products, most of which got their start around 1999 and pretty much everything since has followed the same pattern - 1) Crawl 2) Audit 3) Report. This process works great for the web of 1999 but what about today? Imagine trying to apply this same process to an assessment of a desktop application, it clearly doesn't apply and with web applications looking a lot more like desktop applications these days, it doesn't apply to the web very much either. We had to rethink the very foundations of our scanner and we gave this project a codename: Phoenix.

The Phoenix Architecture

Phoenix is much more than a set of technologies for WebInspect, it's going to be the foundation for all of our products. DevInspect, released in 2005 was the first product from SPI to be based on Phoenix and allowed us to deliver the first assessment product to perform both source code and balckbox testing simultaneously in a single product (what SPI calls Hybrid Analysis). But there was so much more we wanted to do, for starters we knew we needed a new way to analyze web applications and the old legacy 1) Crawl 2) Audit 3) Report process had to go. So with WebInspect 7 we introduce a first for our industry Simultaneous Crawl and Audit (SCA). SCA takes all of the old assumptions for testing web sites and turns them on their head. The moment a session is found we go to work and don't wait around to do the audit work later. A session is what we call a request/response pair and as WebInspect assesses your web site it maps out the sessions across your site and points out vulnerabilities immediately (just don't call sessions pages, web pages are soooooo 1999 and they can be much more than that). In addition to SCA we also built an entirely new state management engine that tracks the progress of your assessment and if WebInspect gets logged out or disconnected from the web site, it transparently takes care of pausing the scan and reconnecting when things get into trouble. Additionally if the scan encounters authentications schemes that can't be automated like two factor or CAPTCHA it will pause the scan and ask for input.

Immediate Results

Because everything is running all out, all at once, results start to pour in fast the moment you fire up the assessment. If you fulfill your vulnerability quota in the first 5 minutes, go ahead a start a report. Notice I didn't say stop the scan, that's because you don't need to stop the scan to run a report. What if you want to kick off an second scan using multiple user ID's to check for privilege escalation vulnerabilities or scan a complete different site at the same time to get ahead on your work load? You can do all of that at the same time within WebInspect 7.

New Features

I could most likely talk for days on every new feature, here are some of the highlights. Please drop a comment on this blog if you have questions or would like me to go into details on any of them:

• Simultaneous Crawl and Audit (SCA) - The crawl and audit happen together as part of one fluid process that provides immediate results within seconds of starting a scan
• Advanced Authentication Management - Manage state dynamically, detect and prompt for two factor and CAPTCHA
• Simultaneous scanning - Run more than one scan at the same time
• SQL Server storage - All Scan data is stored in SQL server for high performance, high capacity scans
• Enhanced SPI Toolkit - All the tools have received updates to improve their reach and capabilities
• SupportChannel - Send questions, issues and enhancement reports direct to SPI from within the product
• Advanced Step Mode - Run testing steps through WebInspect, recording everything and providing automated testing while you perform manual testing
• IPv6 Support - Support future Internet architectures build on IPv6 networks
• Tabbed Interface - Open multiple reports, scans and activities all within a simple, easy to navigate interface 

Get Ready for the Upgrade

WebInspect 7 will be made available to all current SPI Dynamics customers, but this time we will be doing a lot of things differently. On release you will get a notice via SmartUpdate asking you if you want to install the new version. The upgrade will not be required and you can keep on using 6.2 until you decide you want to upgrade but when you do decide the WebInspect 7 install will not replace WebInspect 6.2. You can run both side by side if you want, and both will continue to receive SmartUpdates! Before you choose to upgrade however you are going to want to follow the next few steps:

First make sure your system is ready, here are the new pre-requisites

- .NET 2.0 Framework (you should NOT uninstall .NET 1.1 if you have any .NET 1.1 applications you want to keep running, like WebInspect 6.2!)
- Microsoft SQL Server Express SP1 or Microsoft SQL Server (feel free to run that 20 GB scan, if you have the disk space, we've got the time) 

You can get both of these components here (http://msdn.microsoft.com/vstudio/express/sql/download/) 

Second there are some things we couldn't support anymore, if you are running Windows 2000, have less than 512 MB of RAM or less than 1.5 GHz CPU, it's time to upgrade.

What to expect between now and release day

WebInspect 7 is truly a different product, so you will need to get a new license as well. SPI is going to be sending out new licenses to all existing companies in advance of release day. If for some reason you don't receive your's (perhaps we had the wrong e-mail or your SPAM filter blocked it) have no fear, just send your existing WebInspect license to support@spidynamics.com and request a new license, we will have you up and running in no time.

When is release day?

February 14th 2007, keep on eye on this blog for possible early release information!